Follow by Email

Posts

This walk-through will show you how to Bruteforce LUK volumes using hashcat. How you can mount a LUK partition and how we can image it once it's decrypted.

Scenario: You've got a Macbook in. MacOS has been removed and Debian 9.0 has been installed. The suspect is using LUKS (Linux Unified Key Setup) full disk
encryption to encrypt the disk. Password unknown and we need a forensically sound method to access the data. This is how I'd do it:
Requirements: Hashcat 3.5.0+FTK imager (optional)
Encase (optional)

Skip to step 5 to
just see the hashcat step.
Skip to step 6 just to see the mounting and imaging.
1. Image the Macbook and load into Encase
Imaging hard drive can be done forensically sound via thunderbolt, another Mac and, target disk mode. This is fairly easy and common so won’t be detailed
here.
Once we have an evidence file and loaded into EnCase we can see that
the boot partition is visible but hda2 appears as Unallocated Clusters in an EXT2 partition.